samba - Jun 2019 - Automatically assigning uidNumber / gidNumber attributes

On 05.06.2019 22:40, Rowland penny via samba wrote:
>>
>> https://lists.samba.org/archive/samba/2019-June/223478.html
>> In this post, Rowland said "Oh good, 'Domain Admins'
doesn't have a
>> gidNumber attribute."
> Domain Admins is a group that must own files in Sysvol. Samba runs on Unix
and groups cannot own files on Unix, so Domain Admins is mapped as ID_TYPE_BOTH
in idmap.ldb on the DC, this makes Domain Admins a group and a user. If you give
Domain Admins a gidNumber attribute, it becomes just a group and cannot own
files.
>>
Now I am confused. Reading "Adding a share" on domain member here:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Adding_a_Share

If with idmap-ad I do not set gidNumber to Domain Admins I will not be able to
chown to that group?

Is it better to create other administrative group for managing file permissions?

Regards,
?ukasz

On 07/06/2019 16:37, ?ukasz Michalski via samba wrote:
> On 05.06.2019 22:40, Rowland penny via samba wrote:
>>>
>>> https://lists.samba.org/archive/samba/2019-June/223478.html
>>> In this post, Rowland said "Oh good, 'Domain Admins'
doesn't have a
>>> gidNumber attribute."
>> Domain Admins is a group that must own files in Sysvol. Samba runs on 
>> Unix and groups cannot own files on Unix, so Domain Admins is mapped 
>> as ID_TYPE_BOTH in idmap.ldb on the DC, this makes Domain Admins a 
>> group and a user. If you give Domain Admins a gidNumber attribute, it 
>> becomes just a group and cannot own files.
>>>
>
> Now I am confused. Reading "Adding a share" on domain member
here:
>
>
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Adding_a_Share
>
>
> If with idmap-ad I do not set gidNumber to Domain Admins I will not be 
> able to chown to that group?
>
> Is it better to create other administrative group for managing file 
> permissions?
>
> Regards,
> ?ukasz
>
>
OK, I will add something to that page :)

Domain Admins needs to own files in Sysvol, Domain Admins is a group and 
groups cannot own files on Unix. To counter this, Domain Admins is 
mapped to 'ID_TYPE_BOTH' in idmap.ldb, this make it a group and a user. 
If you give? Domain Admins a gidNumber, it breaks this mapping and it 
just becomes a group and, as I said, groups cannot own files on Unix ;-)

I personally create a group called 'Unix Admins', give this group a 
gidNumber and make it a member of the 'Administrators' group.

If you use the 'rid' backend, then you do not need to do anything.

Rowland

Am 07.06.2019 um 17:48 schrieb Rowland penny via samba:
> On 07/06/2019 16:37, ?ukasz Michalski via samba wrote:
>> On 05.06.2019 22:40, Rowland penny via samba wrote:
>>>>
>>>> https://lists.samba.org/archive/samba/2019-June/223478.html
>>>> In this post, Rowland said "Oh good, 'Domain
Admins' doesn't have a
>>>> gidNumber attribute."
>>> Domain Admins is a group that must own files in Sysvol. Samba runs
>>> on Unix and groups cannot own files on Unix, so Domain Admins is
>>> mapped as ID_TYPE_BOTH in idmap.ldb on the DC, this makes Domain
>>> Admins a group and a user. If you give Domain Admins a gidNumber
>>> attribute, it becomes just a group and cannot own files.
>>>>
>>
>> Now I am confused. Reading "Adding a share" on domain member
here:
>>
>>
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Adding_a_Share
>>
>>
>> If with idmap-ad I do not set gidNumber to Domain Admins I will not
>> be able to chown to that group?
>>
>> Is it better to create other administrative group for managing file
>> permissions?
>>
>> Regards,
>> ?ukasz
>>
>>
> OK, I will add something to that page :)
>
> Domain Admins needs to own files in Sysvol, Domain Admins is a group
> and groups cannot own files on Unix. To counter this, Domain Admins is
> mapped to 'ID_TYPE_BOTH' in idmap.ldb, this make it a group and a
> user. If you give? Domain Admins a gidNumber, it breaks this mapping
> and it just becomes a group and, as I said, groups cannot own files on
> Unix ;-)
>
> I personally create a group called 'Unix Admins', give this group a
> gidNumber and make it a member of the 'Administrators' group.
>
> If you use the 'rid' backend, then you do not need to do anything.
Rowland,

this discussion was very useful to me and not obvious at all from the
existing documentation. Having recently assigned a uidNumber to
Administrator and a gidNumber to Domain Admins, how would I undo this?
ldbmodify and just remove the entries? Anything I need to change on the
two dcs? The permissions on the shares of the member servers are still
easily fixed at this point. Not sure about our print server with driver
download, though... Thanks,

Christian